Accept URI for Sigstore Signed Images #2182
Conversation
Allows for container images signatures with a URI instead of a email address as the SAN. This is needed in certain cases such as using a github workflow to sign a container using the github actions OIDC token. The URI field was added to the `fulcioTrustRoot` struct and associated functions were modifed/created. Logic to handle either having a URI or email address as the SAN was also implemented. Signed-off-by: Luke Yang <[email protected]>
|
Hello @mtrmac, this is a small patch I've made to the |
|
Thanks for working on this! Without digging into the details, I think (unless I'm misunderstanding something here) this should be a PR against https://github.com/containers/image - any changes to the vendored sources here would be lost when updating. BTW a common thing when developing Go is to use the replace directive so that you can build a |
There was a problem hiding this comment.
Thanks!
- Yes, this needs to be a PR against containers/image, not against Skopeo . Please file one and we’ll continue there.
- I’m not immediately sure the URI field is the one we should target. Can you post the full
openssl x509 -textof the generated certificate, please? https://github.com/sigstore/fulcio/blob/main/docs/oid-info.md#directory documents various more specific fields, maybe this should actually target one (or more?) of them. OTOH just matching on SubjectAltName URIs might be more general. I don’t have a strong opinion so far. - For c/image/signature, it would also need unit tests with close-to-perfect coverage (both of the policy parsing and implementation/enforcement).
| if !slices.Contains(untrustedCertificate.EmailAddresses, f.subjectEmail) && !strings.Contains(untrustedCertificate.URIs[0].String(), f.URI) { | ||
| if len(untrustedCertificate.EmailAddresses) > 0 { | ||
| return nil, internal.NewInvalidSignatureError(fmt.Sprintf("Required email %s not found (got %#v)", | ||
| f.subjectEmail, | ||
| untrustedCertificate.EmailAddresses)) | ||
| } | ||
| if len(untrustedCertificate.URIs) > 0 { | ||
| return nil, internal.NewInvalidSignatureError(fmt.Sprintf("Required URI %s not found (got %#v)", | ||
| f.URI, | ||
| untrustedCertificate.URIs)) | ||
| } |
There was a problem hiding this comment.
⚠️ If the policy requires both an email address and an URI, this must not accept signatures which only have one of them- This is invoking
slices.Contains(…, "")if the field is not set. That’s at the very least unclean. - I suspect the error reporting logic should also be tightened. It must primarily decide based on the policy, not on attacker-set
untrusted*fields.
There was a problem hiding this comment.
If the policy requires both an email address and an URI, this must not accept signatures which only have one of them
I believe this would be an invalid policy with cosign. One or the other. A signed container won't have all the OIDs from my experience it will have a subset based on whether it was signed via the interactive cosign workflow or keyless method.
There was a problem hiding this comment.
Then such an invalid policy must be rejected at parsing/initialization time, not processed in an unexpected way.
| if gotSubjectEmail && !gotURI { | ||
| opts = append(opts, PRSigstoreSignedFulcioWithSubjectEmail(tmp.SubjectEmail)) | ||
| } | ||
| if !gotSubjectEmail && gotURI { | ||
| opts = append(opts, PRSigstoreSignedFulcioWithURI(tmp.URI)) | ||
| } |
There was a problem hiding this comment.
This is silently ignoring the options if both are specified?!
|
Moved to containers/image#2235 |
Fixes coreos/rpm-ostree#4272 (comment)
Allows for container images signatures with a URI instead of a email
address as the SAN. This is needed in certain cases such as using a github workflow to sign a container using the github actions OIDC token.
The URI field was added to the
fulcioTrustRootstruct and associated functions were modifed/created. Logic to handle either having a URI or email address as the SAN was also implemented.Testing:
Copy and store
fulcio_v1.crt.pemto/etc/pki/containers/fulcio.sigstore.dev.pubandrekor.pubto/etc/pki/containers/rekor.sigstore.dev.pub, both of which can be found at: https://github.com/sigstore/root-signing/blob/main/README.mdConfigure
/etc/containers/policy.json/etc/containers/registries.d/ghcr.io.yaml